How to quickly mitigate BGP security risks with route analytics
The finance sector is one industry that fights numerous threats, even up to a few thousand, every day. So what can service providers do when their financial services customers demand 100 percent uptime and bulletproof network security? In particular, what can they do when they’re concerned about risks from BGP route leaks and the potential for malicious attacks?
Let’s look at a use case from a large mobile network operator.
Mitigating BGP security risks for a European mobile operator
One of Europe’s largest mobile network operators owns multiple Autonomous Systems (AS), each with operating units that cater to different customers. The operator was concerned about BGP security, since any site could announce a prefix belonging to another and divert customer traffic to the wrong site. This type of incident could be caused by two things:
- Unintentional configuration errors that lead to route leaks
- Malicious Denial of Service (DoS), or ‘man in the middle’, attacks via BGP route hijacking
The security issues concerning BGP are well known and can’t be fixed, so the operator had to consider workarounds. Both route hijacking and unintentional leaks can result in serious consequences such as SLA penalties, damage to reputation, or even loss of business.
The operator did use route filters, but—considering the huge number of IP blocks they had and the updates they dealt with every day—there was a high risk of error and shutting out their own customers. The operator also considered other solutions such as digitally signing route updates, or using only a set of known routes, both of which were eliminated because they were not scalable. Additionally, during a BGP hijack, they could not check their own BGP router’s routing table. This is because, to avoid routing loops, BGP would not add routes set with the local AS in the AS_Path attribute back to that same router.
The network operator required a solution that could alert them in real time to possible BGP security incidents without adding network overhead. They implemented Blue PlanetÒ Route Optimization and Assurance (ROA). Blue Planet ROA’s BGP baselining capability keeps track of the normal/expected BGP routes for all the BGP border routers and alerts the operator immediately when a route goes missing or a new route appears. Thus, when an AS announces a new prefix, ROA alerts the operator and can verify if the prefix change is genuine or a possible attack.
ROA monitors BGP routing and detects prefixes not in baseline.
With ROA in place to monitor IGP as well as BGP, the operator can quickly respond to route hijacks, leaks, and various BGP issues, helping solve routing issues even before their customers report an issue. The service provider also uses route analytics to make informed decisions about optimizing their routing and peering.
Request a demo of Blue Planet ROA
This content was originally published on the Packet Design blog and has been updated since the acquisition by Blue Planet.